TCP/IP Hijacking is one of the most simple, yet powerful attacks a hacker can use. With proper use TCP/IP
Hijacking can be used to sniff passwords and other information from a switched network. When an Ethernet network
uses a HUB, packets that are sent to the hub from a pc on the network, are transmitted to all of it's
ports. Using a HUB on your network makes sniffing all the data on the network easy. What about sniffing on a

switched network? A switch is more intelligent then a hub. On a switched network, the switch inspects packets
that it receives then forwards that packet to the correct destination according to it's table. This makes
sniffing on the network a bit harder.

What is TCP/IP Hijacking?

With TCP/IP Hijacking an attacker sets up a device on the network that tricks other devices on the network
into sending their packets to it instead of where they are intended to go. With wired networks, TCP/IP Hijacking
will use a technique known as spoofing, which is basically the act of pretending to be something you are not.

One of the most common types of spoofing used in TCP/IP Hijacking is Address Resolution Protocol (ARP)
spoofing. Every computer on an Ethernet network using TCP/IP must have a unique IP address. They must also have
another address known as the media access control (MAC) address so they can move packets around the network. Each
computer on the network will then keep a table of IP Address and their corresponding MAC address, known as the ARP
Table. When ARP Spoofing a hacker will change that table to redirect packets on the network to their computer.

Example of ARP Spoofing

In this example I will be using ARP spoofing between my laptop and desktop on my switched network.

There it is. The target machine now thinks that the gateway's MAC address is mine.

Time to open up the sniffer. You can use whatever sniffer you feel more comfortable with, in the example I used

Wireshark. I ran Wireshark for a few minutes, then went back and looked at all the packets I collected. The main

thing I am looking for right now is the POP3 username and password. I look through the list and see some lines that
contain POP3 in them. I right click on one of the packets and clicked Follow TCP Stream. What I saw was this:

Heh. That is easy, but as DigitolJedi said, we need to learn how to do this remotely... But there really wouldn't be a way to do it remotely in my eyes, providing that the network is private... I can't access my school files remotely, most networks block out all other traffic besides the ones in their own network. Network switches are, as GhostHawk stated, more powerful than network hubs, because they inspect ( determine the source & destination of) network packets.

Remote attacks... Don't you think you'd have to have internal access, considering that a switch network has the ability to detect the sources of packets? If it can detect them, doesn't common sense say that it can block them as well?

Hey, I was just wondering how to spoof an ARP if you're not on the same subnet. Let's say I have IP 192.168.2.2 (192.168.2.1 is a router) and the PC I want to spoof is 192.168.1.2 (192.168.1.1 is a routet -> also a router to WAN).

Watching network traffic can make you a little dizzy in a shell. I think this is good use of GUI. So im +1 for Wireshark. Not to mention the sheer amount of protocols it can decode, isn't it at like 10,000 or something ridiculous? In actuality, I prefer to have it up even if I am using something like ettercap because if your experimenting on your home net or something, you can see if the traffic is truly going where you think it's going.